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NETWORK/TDI BLOCKING METHOD AND SYSTEM 

Field of the Invention : 

The invention relates to the protection of data stored in a computer, and more 
5 particularly, to data which has been secured and opened by non-secure applications 
where a high level application or operating system component acts to disable certain 
system resources in order to protect the security of data. 

Background of the Invention : 

10 In computer systems, processes may access many system resources, such as serial 

ports or connections to the Internet. In a situation in which secured data is being 
accessed by a non-secured application, a means must be developed by which the non- 
secured application can be restricted from performing operations which might 
compromise the security of the data. 

15 It is known to open secure data in a system which is completely isolated from 

outside communications, which has no connection to means by which an unsecured 
application may, by accident or sabotage, compromise the secured data. It is also known 
to open secure data with secure applications, which are known to be free from the risk of 
accident or sabotage that would compromise the secured data. These solutions prevent 

20 the use of popular software applications to open secured data, or the use of a computer 
which is not disconnected from outside communications, and thereby are limited in their 
usefulness. 

Summary of the Invention : 

25 The invention discloses a network/TDI (transport driver interface) blocking 

method particularly applicable to a system in which secured data is transmitted to a 
recipient computer for use with non-secured applications. An illustrative embodiment of 
the invention comprises performing a security check on a process and blocking calls for 
use of the network if they come from a process using secured data. The tracking of 

30 secured processes may include determining whether and how often a secured process 
should be allowed to use a network. The security check may include determining 
whether the process is secured by consulting a secured process list and determining 
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whether the resource should be available to the process requesting use of the resource. 

Further disclosed is a network blocking system, secured data transmission system 
using network blocking, computer-readable medium programmed to block network use, 
5 and a computer configured to block network use. 

Description of the Drawings : 

The invention is best understood from the following detailed description when 
10 read with the accompanying figures. 

Figure 1 is an schematic diagram of a computer system operating according to an 
illustrative embodiment of the network blocking method of the invention. 

Figure 2 is a flow chart of a network request in a computer system operating 
according to an illustrative embodiment of the network blocking method of the 
15 invention. 

Detailed Description of the Invention : 

The invention disclosed prohibits certain processes from utilizing the network 

resources of the computer on which they are running. These may be secured processes 
20 for example, ones which have opened secure data. In a preferred embodiment of the 

invention, the status of a process as secured is determined by the processes presence on a 

list of secured processes. 

In a preferred embodiment, as shown in Fig. 1, in a computer 100, a control 

application 110 runs on the kernel (ring 0) level 120 and applications 130 run on higher 
25 levels 140. When applications request access to network / TDI interface 150, control 

application 110 monitors and handles these access requests. 

As shown in Fig. 2, network blocking is accomplished by not permitting a send 

request to be processed for secure applications. When a send request is initiated 200, 

control application (110 in Fig. 1) intercepts that request, and determines the process id 
30 210. The control application (110 in Fig. 1) in a preferred embodiment accesses a list of 

processes that are not allowed to access the network. The process id is used to 

determine whether the process is secure (not allowed to access the network) 220. If it is 
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secure, the request is blocked at 230. If it is not secure, then the request is passed on to 
the network 250. 

A further illustrative embodiment of the invention is directed to a network 
blocking system wherein certain processes are restricted from accessing a network, 

5 according to the methods provided herein. Further disclosed is a secured data 

transmission system having a network blocking component to prohibit certain processes 
from accessing a network according to the methods provided herein. Still further 
disclosed is a computer-readable medium programmed to block network use according to 
the methods provided herein. Still further disclosed is a computer configured to include 

10 a network blocking system to block certain processes from accessing a network 
according to the methods provided herein. 

The terms "computer", "computer system", or "system" as used herein include 
any electronic device having a processor or microprocessor including, without 
limitation, a personal computer, such as a laptop, palm PC, desktop or workstation, a 

15 network server, a mainframe, an electronic wired or wireless device, such as for 

example, a telephone, an interactive television, such as for example, a television adapted 
to be connected to the Internet or an electronic device adapted for use with a television, a 
cellular telephone, a personal digital assistant, an electronic pager, a digital watch, or 
any other device capable of receiving information, such as email, from another source. 

20 A computer, computer system, or system of the invention may operate in communication 
with other systems over a network, such as, for example, the Internet, an intranet, or an 
extranet, or may operate as a stand-alone system. 

While the invention has been described by illustrative embodiments, additional 
advantages and modifications will occur to those skilled in the art. Therefore the 

25 invention in its broader aspects is not limited to specific details shown and described 
herein. Modifications may be made without departing from the spirit and scope of the 
invention. Accordingly, it is intended that the invention not be limited to the specific 
illustrative embodiments but be interpreted within the full spirit and scope of the 
appended claims and their equivalents. 
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We claim: 

1. A network blocking method for securing data comprising: 

a network request detection step of detecting a network request for use of a 
5 network sent by a process; 

a process identification step of determining the identity of said requesting 
process; 

a process check step of determining if said process should be permitted to access 
said network; and 

10 a permit/deny step of allowing said network request to be fulfilled if said process 

should be permitted to access said network and denying said network request if said 
process should not be permitted to access said network. 

2. The method of claim 1 where said process check step comprises: 

15 a secure process list check step of determining whether said process appears on a 

list of secure processes. 

3. The method of claim 1, where said network requests interface is the Transport 
Data Interface. 

20 

4. A network blocking system wherein said network blocking system operates to 
determine the identity of said requesting process; determine if said process should be 
permitted to access said network; and allow said network request to be fulfilled if said 
process should be permitted to access said network and deny said network request if said 

25 process should not be permitted to access said network. 

5. A secured data transmission system having network blocking system which 
operates to determine the identity of said requesting process; determine if said process 
should be permitted to access said network; and allow said network request to be 

30 fulfilled if said process should be permitted to access said network and deny said 
network request if said process should not be permitted to access said network. 
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6. A computer operably connected to a network configured to protect secure data by 
including a network blocking system which operates to determine the identity of said 
requesting process; determine if said process should be permitted to access said network; 
and allow said network request to be fulfilled if said process should be permitted to 

5 access said network and deny said network request if said process should not be 
permitted to access said network. 

7. A computer-readable medium programmed to protect secure data by 
implementing a network blocking system which operates to determine the identity of said 

10 requesting process; determine if said process should be permitted to access said network; 
and allow said network request to be fulfilled if said process should be permitted to 
access said network and deny said network request if said process should not be 
permitted to access said network. 
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